Comment 3 for bug 2017056

I think the problematic code is in oslo_policy.policy.Enforcer.enforce():

                registered_rule = self.registered_rules.get(rule)
                if registered_rule and registered_rule.scope_types:
                    scope_valid = self._enforce_scope(creds, registered_rule,
                                                      do_raise=do_raise)
                    if not scope_valid:
                        return False

Regardless of what I override, registered_rule is:

    "identity:list_services": "role:reader and system_scope:all"

Of course elsewhere in the code it's testing the rule from yaml, it's only in that one place where it refers back to 'registered_rule' which apparently is not replaced from yaml.

So either that check is wrong, or something is wrong with how rules are registered in the first place.